First published: Thu Jun 27 2019(Updated: )
A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zyxel Uag2100 Firmware | <=4.18\(aaiz.1\)c0 | |
Zyxel Uag2100 | ||
Zyxel Uag4100 Firmware | <=4.18\(aatd.1\)c0 | |
Zyxel Uag4100 | ||
Zyxel Uag5100 Firmware | <=4.18\(aapn.1\)c0 | |
Zyxel Uag5100 | ||
Zyxel Usg110 Firmware | <=4.30 | |
Zyxel Usg110 | ||
Zyxel Usg210 Firmware | <=4.30 | |
Zyxel Usg210 | ||
Zyxel Usg310 Firmware | <=4.30 | |
Zyxel Usg310 | ||
Zyxel Usg1100 Firmware | <=4.30 | |
Zyxel Usg1100 | ||
Zyxel Usg1900 Firmware | <=4.30 | |
Zyxel Usg1900 | ||
Zyxel Usg2200-vpn Firmware | <=4.30 | |
Zyxel Usg2200-vpn |
https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this XSS vulnerability is CVE-2019-12581.
CVE-2019-12581 has a severity of medium with a CVSS score of 6.1.
Selected Zyxel ZyWall, USG, and UAG devices are affected by CVE-2019-12581.
An attacker can exploit CVE-2019-12581 by injecting arbitrary web script or HTML via the err_msg parameter in the free_time_failed.cgi CGI program.
Yes, there are fixes and patches available for CVE-2019-12581. It is recommended to update to the latest firmware versions provided by Zyxel.